Author: Bryan Marty

Update: I will be putting together a HOW-TO for using the YubiKey to lockdown access to many popular websites. Stay Tuned!

New Years resolutions are tough and difficult, but here is one that you can keep: Secure Your Digital Life!. It seems like every day we read a news story about a corporation getting hacked, private details leaked, credit cards stolen. This New Years, resolve to lock down access to your online information, starting with your account access.

The password is dead, long live the password!

How hard do you think it is for someone to guess your password? Is it your mothers maiden name, or perhaps your drivers license? How long do you think it takes for a computer to try to brute force your password? Hint: Not long. The password is dead, long live the password! Well, almost. We need more than just a password, and most sites (Gmail, Facebook, etc) support 2 Factor Authentication. With 2Auth, a password is not enough, you also need to provide a time sensitive token, usually generated by your phone or key fob.

You may have seen this already, in fact, you may have Google Authenticator or Duo already installed on your phone, and thats great! Its definitely a step in the right direction… but did you know the secret keys stored on your phone are accessible to just about anyone? Yup. Those apps are storing the secret keys for deriving your login tokens right on your phone’s storage. They are there for anyone to see.

That’s where hardware comes in, which is harder to crack (but not impossible). Data can be stored in WRITE-ONLY areas, meaning that attackers will have a difficult time getting at the secret keys used to generate your login information. My favorite device so far is the YubiKey, which can do just about anything. From OTP to U2F (2 Factor Authentication), this little key does it all (including GPG keys). It even has native support for Gmail (and Google Apps).

Yubikey

The Two Factor Auth List has a list of popular websites that support 2 Factor Authentication. Most sites that support a hardware or software implementation will be compatible with the YubiKey, including the popular LastPass Password Manager.

Last night a terrible thing happened, I dropped my Razr Maxx and shattered the screen. In its defense, I have dropped it on many occasions, including (accidentaly) throwing it across a concrete garage (face down), and kicking it into a wall (from bed). Without even a scratch on the screen, it has withstood my abuse like a champ, but last night it just couldn’t handle the sharp jagged rocks that broke the screen.

Sometimes people get lucky, and even though the screen is shattered, its still usable, (albeit, touch sensitivity probably sucks after that). If that was my case… I wouldn’t have anything to write about. No… my screen no longer turned on. So now what?

Remote control it! It is an android after all (pun intended).
Heres what we need:

First thing I did was start up the Android Screencast java program. This little program detected my plugged in phone and immediately brought up my screen. Apparently if you have a rooted device, you can also send clicks from the program. Unfortunately, my device was not rooted.

In order to send commands to your phone, you are gonna need to use the Android SDK. Once you have it installed, find the platform-tools folder, cd into it, and run:

./adb shell

That should bring you into a shell command to which you can send commands to your phone.

Django is a great Web Framework to build websites in. It handles so many things for you that sometimes it can’t handle the most basic things. If you have ever tried to use Triggers in MySQL and Django, you know what I mean (or will soon find out). Now, you may not have many uses for Triggers, especially when Django handles the majority of the work for your automatically, but in some cases, it is neccessary to define your own triggers at the database level (like for a Database course in college).

Django provides you with this really nice “syncdb” command, but there isn’t an obvious way to to insert custom triggers. Searching around, I found that you can provide “custom” sql during the process, which would seem like a great place to insert triggers. Just add a “sql/” folder to your Django app, and create a file called <model_name>.sql. Or, if you want to be more specific, <model_name>.mysql.sql. At first I thought this would be a great place for the trigger, but it didn’t work. Django kept getting hungup on the ‘;’ in the Trigger.

When creating a Trigger using a GUI like MySQL Workbench or ProSequel, the application sends SQL commands separately, as delimited by the ‘;’. The problem is that a ‘;’ may exist within a Trigger statement. For example, the following would not work:

I spent the better part of an hour trying to figure out why. Turns out the ‘;’s really confused SequelPro and MySQL Workbench. The solution was to change the delimiter and execute the following statement.

Great! Now I can actually get this Trigger in the database, but if I use the latter example in the <model_name>.mysql.sql file, it still doesn’t work! Finally, I stumbled upon ticket #3214 on the Django website. While I wasn’t too keen on doing any kind of patch, there was a interesting little snippet I read in there.

“As a workaround, multi-line SQL statements have to have someting other than whitespace between their semicolons and newline characters.” -Sam Morris

So I thought I’d talk about my recent trip to Washington D.C. to attend the Energy Datapalooza conference. First thing I noticed in D.C. was this: the Metro system there is really nice. I mean really, really, nice. Cleveland’s RTA system could surely take a leaf out of D.C.’s book when it comes to the cleanliness of its stations.But I digress, the conference was very interesting. It started out like this: waking up at 6 in the morning and trying to not to look like a zombie. Getting to the conference was easy (see above: the Metro there is nice!).

Who is that dashing young man on the left? Oh! Thats me!

Ok ok, the conference. It started out with some really great talks, I especially enjoyed the one by the Found and CEO of WattzOn, Martha Amram. WattzOn has definitely got some good stuff going on, and a new app they just released that helps you choose new appliances that are both low-cost and energy efficient. There were quite a few good talks, and then Secretary of Energy, Dr. Steven Chu, gave a great speech on how there is such a large market of energy related applications that are just waiting to be developed.

[embedplusvideo height=”300″ width=”430″ standard=”http://www.youtube.com/v/cspiqloXVP4?fs=1″ vars=”ytid=cspiqloXVP4&width=430&height=300&start=&stop=&rs=w&hd=0&autoplay=0&react=0&chapters=&notes=” id=”ep7301″ /]
Oh, and you see the back of that kid’s head on the right side of the video? Thats me too!

There was also an award ceremony for the Apps For Energy contestants, where we were invited onto the stage to shake Dr. Steven Chu’s hand and get our picture taken.

Ok, so after all the presentations, we went up to the 4th? floor and setup our table. I think we took the prize for the most screens on a single table, 2 phones, two tablets, and my laptop (my gorgeous Retina Macbook Pro). Various people walked around checking out the displays. I got to talk with a lot of people and demonstrate our application. Even Martha Amram (WattzOn) stopped by and gave me her business card (which I was excited about). We definitely got some great feedback, so now its a matter of incorporating those suggestions into our application and releasing an update. When your one of two programmers, that can definitely take some time, but I’m working on it!

It’s hard to believe that only a few months ago, my team and I won second prize in the Student Division of the Apps For Energy Contest. It still hasn’t quite sunken in yet… we won a national competition….that is just amazing. One of my teammates was talking about it to a friend during a car ride (late Chinese food run), and she was totally amazed. Me?… I was amazed at her amazement. Did my team really just place in this national competition? I still feel like the same person. The whole thing just seems so surreal, like it was all a dream.

As a winning team, we have been invited to Washington D.C. to attend the “Energy Datapalooza”, with a booth demonstrating our application. I just got this in the mail, which drives home the impressiveness of what my team has achieved. I’m really proud of my team, but we have a lot more to accomplish before we can rest.

ENERGY DATAPALOOZA Unleashing the power of data to advance our energy futureThe White House Office of Science and Technology Policy, Council on Environmental Quality, the U.S. Department of Energy, and the U.S. Environmental Protection Agency cordially invite you to join us for an “Energy Datapalooza,” highlighting innovators and entrepreneurs who are using freely available data from the government and other sources to build products, services, and apps that advance a secure and clean energy future.